b2a87d283c61c661f5f3b28dbaf9f4f2a624097d0a94895adbfb576a54c14ac0

Analysis

max time kernel
1564s
max time network
1574s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/03/2024, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

we-to-lively-main/README.md
Size

1KB
MD5

c08a99b21050c201163e6316a7dbcd8d
SHA1

314d41201b5cd5c6548dd644ac1548bd777ad56d
SHA256

706711a9ff6ab1288315652620ce7bad70aa65300faae2cf1deab2280192d90f
SHA512

a876c9ce9b6721c4fc0b7c1aa370c44b9e5989c13bb5cee2f6b178d0cfc9014b042729ff6a9727fd418c98e6249b6ceaac26d52e4e36f89fa9d24957913a4932

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\.md	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\md_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\md_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\md_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\md_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\md_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\.md\ = "md_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2408	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2408	AcroRd32.exe
2408	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2640	2460	cmd.exe	29
PID 2460 wrote to memory of 2640	2460	cmd.exe	29
PID 2460 wrote to memory of 2640	2460	cmd.exe	29
PID 2640 wrote to memory of 2408	2640	rundll32.exe	31
PID 2640 wrote to memory of 2408	2640	rundll32.exe	31
PID 2640 wrote to memory of 2408	2640	rundll32.exe	31
PID 2640 wrote to memory of 2408	2640	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\we-to-lively-main\README.md
1⤵
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\we-to-lively-main\README.md
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\we-to-lively-main\README.md"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
470e3dc780506357f224093544af671d

SHA1
f7e06c7a0ae2275e6cbe069b71cb93e754a5cecc

SHA256
c2026923d62cad69f17b22c105e941b0ada5e8fb33f641a531cd4aa946573871

SHA512
f9feda3e2ce131ec2cfa9d022b274f0c3b93624a706eeb4265ac14bedf1f6b262d9d3d632647da491a0219f9e98cfd06101c7946946a6644731a2942a7f42639

Download Submit